Equifax Inc. is a data analytics and technology company that assists organizations and individuals in making informed business and personal decisions. Headquartered in Atlanta, Ga., Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs over 10,000 employees worldwide.

Founded in 1899 and based in Atlanta, Georgia, it is one of the three largest credit agencies along with Experian and TransUnion (known as the “Big Three”).[3] Equifax has US$3.1 billion in annual revenue and 9,000+ employees in 14 countries.[4]

In addition to credit and demographic data and services to business,[5] Equifax sells credit monitoring and fraud-prevention services directly to consumers.[6] Like all credit reporting agencies, the company is required by U.S. law to provide consumers with one free credit report every year.[7]

Equifax was the subject of more than 57,000 consumer complaints to the Consumer Financial Protection Bureau from October 2012 to September 17, 2017, with most complaints relating to incomplete, inaccurate, outdated, or misattributed information held by the company.[8]

In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017,[9] where cybercriminals accessed approximately 145.5 million U.S. Equifax consumers’ personal data, including their full names, Social Security numbers, birth dates, addresses, and driver license numbers. Equifax also confirmed at least 209,000 consumers’ credit card credentials were taken in the attack. On March 1, 2018, Equifax announced that 2.4 million additional U.S. customers were affected by the breach.[10] The company claims to have discovered evidence of the cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.

Equifax was founded by Cator and Guy Woolford in Atlanta, Georgia, as Retail Credit Company in 1899.[11] The company grew quickly and by 1920 had offices throughout the United States and Canada. By the 1960s, Retail Credit Company was one of the nation’s largest credit bureaus, holding files on millions of American and Canadian citizens. Even though the company continued to do credit reporting, the majority of their business was making reports to insurance companies when people applied for new insurance policies including life, auto, fire and medical insurance. All of the major insurance companies used RCC to get information on health, habits, morals, use of vehicles and finances. They also investigated insurance claims and made employment reports when people were seeking new jobs. Most of the credit work was then being done by a subsidiary, Retailers Commercial Agency.

Retail Credit Company’s extensive information holdings, and its willingness to sell them to anyone, attracted criticism of the company in the 1960s and 1970s. These included that it collected “…facts, statistics, inaccuracies and rumors … about virtually every phase of a person’s life; his marital troubles, jobs, school history, childhood, sex life, and political activities.” The company was also alleged to reward its employees for collecting derogatory information on consumers.[12]

As a result, when the company moved to computerize its records, which would lead to much wider availability of the personal information it held, the U.S. Congress held hearings in 1970. These led to the enactment of the Fair Credit Reporting Act in the same year which gave consumers rights regarding information stored about them in corporate databanks. It is alleged that the hearings prompted the Retail Credit Company to change its name to Equifax in 1975 to improve its image.[12]

The company later expanded into commercial credit reports on companies in the United States, Canada and the UK, where it came into competition with companies such as Dun & Bradstreet and Experian. The insurance reporting was phased out. The company also had a division selling specialist credit information to the insurance industry but spun off this service, including the Comprehensive Loss Underwriting Exchange (CLUE) database as ChoicePoint in 1997. The company formerly offered digital certification services, which it sold to GeoTrust in September 2001. In the same year, Equifax spun off its payment services division, forming the publicly listed company Certegy, which subsequently acquired Fidelity National Information Services in 2006. Certegy effectively became a subsidiary of Fidelity National Financial as a result of this reverse acquisition merger (See Certegy and Fidelity National Information Services for further information).

For most of its existence, Equifax has operated primarily in the business-to-business sector, selling consumer credit and insurance reports and related analytics to businesses in a range of industries.[citation needed] Business customers include retailers, insurance firms, healthcare providers, utilities, government agencies, as well as banks, credit unions, personal and specialty finance companies and other financial institutions. Equifax sells businesses credit reports, analytics, demographic data, and software. Credit reports provide detailed information on the personal credit and payment history of individuals, indicating how they have honored financial obligations such as paying bills or repaying a loan. Credit grantors use this information to decide what sort of products or services to offer their customers, and on what terms. Equifax also provides commercial credit reports, similar to Dun & Bradstreet, containing financial and non-financial data on businesses of all sizes. Equifax collects and provides data through the National Consumer Telecom and Utilities Exchange (NCTUE), an exchange of non-credit data including consumer payment history on telecommunications and utility accounts.[16][17]

In 1999, Equifax began offering services to the credit consumer sector in addition, such as credit fraud and identity theft prevention products. Equifax and other credit monitoring agencies are required by law to provide US residents with one free credit file disclosure every 12 months; the Annualcreditreport.com website incorporates data from U.S. Equifax credit records.

In 2016, Equifax partnered with CreditMantri, a credit facilitator based in Chennai (India), to offer free credit score and loan reports to its customers.[18][19]

According to an October 2017 report from Motherboard, around December 2016, a security researcher examining Equifax’s servers observed an online portal, apparently created for Equifax employees only, was accessible to the open Internet.

I didn’t have to do anything fancy,” the researcher told Motherboard, explaining that the site was vulnerable to a basic “forced browsing” bug. The researcher requested anonymity out of professional concerns. “”All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax’s customers in 10 minutes: “I’ve seen a lot of bad things, but not this bad.

The same types of sensitive private information of American consumers (names, birth dates, social security numbers, etc.) were exposed as in the May–July breach, according to Motherboard. Additionally, the security researchers said they were able to gain shell access on Equifax’s servers and discovered and reported to Equifax additional vulnerabilities. According to the reporting, despite receiving this warning from the security researcher, the affected portal was not closed until six months later in June, well after the March and May–July breaches had begun.[21] Moreover, the employee portal was reportedly not the same server targeted in the later breaches, which Motherboard speculates may suggest multiple breaches by more than one party may have occurred.

On September 18, 2017, Bloomberg News reported that Equifax had been the victim of a “major breach of its computer systems” in March 2017, and that in early March it had begun “notifying a small number of outsiders and banking customers” about this attack.[22]

According to Bloomberg, a person familiar with the breach believed this early-March intrusion may have been carried out by the same party that breached Equifax’s computer systems again in May. According to Bloomberg, Equifax enlisted Mandiant (owned by FireEye, Inc.) to assist in investigating the March attack. The same cybersecurity firm was hired following the May–July breach.[22]

[The Equifax breach] very possibly is the most severe of all for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals. By providing full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers, it provided most of the information banks, insurance companies, and other businesses use to confirm consumers are who they claim to be.

On September 7, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers.[24] Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised.[25][26][27][28][29] An additional 11,670 Canadians were affected as well, later revealed by Equifax.[30]VentureBeat called the exposure of data on 140+ million customers “one of the biggest data breaches in history.”[31]

Though the attack was stated to have begun in mid-May, the breach was not observed until July 29, according to Equifax CEO Richard F. Smith and a subsequent report by Equifax.[9][24][32] Information accessed by the hacker (or hackers) in the breach included first and last names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were also accessed.[33][32]

On September 15, Equifax released a statement saying that it had hired Mandiant on August 2 to internally investigate the intrusion. The statement, however, did not specify precisely when government authorities (“all U.S. State Attorneys General” and “other federal regulators”) were notified of the breach, although it did assert “the company continues to work closely with the FBI in its investigation”.[32]

Equifax shares dropped 13% in early trading the day after the breach was made public.[34]

Numerous lawsuits have been filed against Equifax as a result of the breach.[35][36] In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.[35]

Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638).[41] A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.[42][43] However, this was not the only point of failure: contributing factors included the insecure network design which lacked sufficient segmentation,[44] potentially inadequate encryption of personally identifiable information (PII),[45] and ineffective breach detection mechanisms.[46]

On September 15, Equifax issued a press release with bullet-point details of the intrusion, its potential consequences for consumers, and the company’s response. The statement further commented on issues related to criticism regarding its initial response to the incident. The company also announced the immediate departures and replacements of its Chief Information Officer and Chief Security Officer.[32][47]

Three days after Equifax revealed the May–July 2017 breach, Congressman Barry Loudermilk (R-GA), who had been given thousands of dollars by Equifax,[48][49] introduced a bill to the U.S. House of Representatives that would reduce consumer protections in relation to the nation’s credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss.[50] The bill would also eliminate all punitive damages.[50][51] Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill “pending a full and complete investigation into the Equifax breach”.[50]

On September 28, 2017, new Equifax CEO Paulino do Rego Barros Jr. responded to criticism of Equifax by promising that the company would, from early 2018, allow “all consumers the option of controlling access to their personal credit data”, and that this service would be “offered free, for life”.[52]

On October 2, 2017, Equifax revealed that the estimated number of affected Americans was 2.5 million more than previously reported. This brought the total number of potentially impacted Americans to 145.5 million.[53]

In October 2017, the number of drivers’ licenses breached in the attack was reported to be 10-11 million.[59][60][61]

In September, 2017, Richard Cordray, then director of the Consumer Financial Protection Bureau (CFPB), authorized an investigation into the data breach on behalf of affected consumers. However, in November, 2017, Mick Mulvaney, President Donald Trump’s budget chief, who was appointed by Trump to replace Cordray, was reported by Reuters to have “pulled back” on the probe, along with shelving Cordray’s plans for on-the-ground tests of how Equifax protects data. The CFPB also rebuffed bank regulators at the Federal Reserve Bank, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency who offered to assist with on-site exams of credit bureaus.[62] Senator Elizabeth Warren, who released a report on the Equifax breach in February 2018, criticized Mulvaney’s actions, stating: “We’re unveiling this report while Mick Mulvaney is killing the consumer agency’s probe into the Equifax breach. Mick Mulvaney shoots another middle finger at consumers.”[63]

Since October 2017, hundreds of consumers have sued Equifax for the data breach, some winning small claims cases in excess of $9,000, including actual damages, future damages, anxiety, monitoring fees and punitive damages.[64]

Following the announcement of the May–July 2017 breach, Equifax’s actions received widespread criticism. Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September.[65] Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.[66]

It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public.[67] The company said the executives, including the chief financial officer John Gamble,[68][34] “had no knowledge that an intrusion had occurred at the time they sold their shares”.[69] On September 18, Bloomberg reported that the U.S. Justice Department had opened an investigation to determine whether or not insider trading laws had been violated.[70] “As Bloomberg notes, these transactions were not pre-scheduled trades and they took place on August 2, three days after the company learned of the hack”.

When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com[71]) for consumers to learn whether they were victims of the breach. Security experts quickly noted that the website had many traits in common with a phishing website: it was not hosted on a domain registered to Equifax, it had a flawed TLS implementation, and it ran on WordPress which is not generally considered suitable for high-security applications. These issues led Open DNS to classify it as a phishing site and block access.[23] Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.[72]

The website set up to check whether a person’s personal data had been breached (trustedidpremier.com) was determined by security experts and others to return apparently random results instead of accurate information.[72] As with https://www.equifaxsecurity2017.com, this website, too, was registered and constructed like a phishing website, and it was flagged as such by several web browsers.[73]

The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver.[74][75] Attorneys said that the arbitration clause was ambiguous and that it could require consumers who accepted it to arbitrate claims related to the cybersecurity incident.[75] According to Polly Mosendz and Shahien Nasiripour, “some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration”.[76] The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post, “it’s unclear if that applies to the credit monitoring program”.[77] New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause.[78] Responding to arbitration-related concerns, on September 8, Equifax issued a statement stating that “in response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident”.[78] Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause “means nothing” because the terms of use state that they are the “entire agreement” between the parties.[78] The arbitration clause was later removed from equifaxsecurity2017.com,[78] and the equifax.com terms of use were amended on September 12 to state that they do not apply to www.equifaxsecurity2017.com, www.trustedidpremier.com, or www.trustedid.com and to exclude claims arising from those sites or the security breach from arbitration.[79][80]

Responding to continuing public outrage,[81] Equifax announced on September 12 that they “are waiving all Security Freeze fees for the next 30 days”.[82]

Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of equifax.com. On September 20, it was reported that Equifax had been mistakenly linking to an unofficial “fake” web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting’s site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that “you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!” Equifax apologized for the “confusion” and deleted the tweets linking to this site.[83][84][85]

In September 2017, Brian Krebs revealed that an Argentinian arm of Equifax had left private data from approximately 14,000 consumers, and more than 100 staff members, available to anyone who entered “admin” as both the username and password for one of its online systems.[86][87]

On October 8, 2017, Krebs reported that The Work Number, a website operated by Equifax’s TALX division, exposed the salary histories for employees of tens of thousands of US companies to anyone in possession of the employee’s Social Security Number and date of birth.[90][91] For roughly half the US population, both of the latter pieces of data are known to be in possession of criminals, following Equifax’s May–July 2017 security breach.[90][91]

On October 12, 2017, Equifax’s website was reported to have been offering visitors malware via drive-by download.[92][93] The malware was disguised as an update for Adobe Flash.[92][93][94][95] At that time, only 3 out of 65 top anti-malware products provided protection against the particular malware, meaning that many visitors were at risk of having their computers infected if visiting the Equifax website.[94]

The company has been fined by the Federal Trade Commission on two occasions for violating the Fair Credit Reporting Act (“FCRA”). In 2000, Equifax, along with Experian and TransUnion, was fined $2.5 million for blocking and delaying phone calls from consumers trying to get information about their credit. In 2003, the FTC took Equifax to court for the same reason and settled its lawsuit with the company for a fine of $250,000.[99][100]

In July 2013, a federal jury in Oregon awarded $18.6 million to Julie Miller of Marion County against Equifax for violations of the Fair Credit Reporting Act.[101] In her lawsuit, Miller alleged Equifax had merged her credit reports with another person with a different Social Security number, date of birth, and address. Miller contacted Equifax repeatedly in writing and over the telephone, but Equifax refused to delete dozens of false collection accounts from Miller’s credit report.[102] The award included $18.4 million in punitive damages, and $180,000 in compensatory damages. Miller’s lawyer, Justin Baxter, explained that the false reporting damaged Miller’s reputation, she was denied credit, and her private information was given to businesses Miller had no relationship with.[103] The jury’s verdict is believed to be the largest award in an individual case under the Fair Credit Reporting Act.[104] An Equifax spokesperson said that Equifax is considering appealing the jury’s verdict.[105] A federal judge reduced the award to $1.62 million in 2014.[106]

In 2014, Equifax and Heartland Bank were sued by Kimberly Haman of the St. Louis area for reporting she was dead.[107][108] A Heartland Bank spokesperson said the bank “immediately investigated and contacted the credit reporting agencies after Haman reported” she was still alive.[107] An Equifax “spokesperson told the Post-Dispatch that Equifax blocked the Heartland account information from appearing on Haman’s credit report after a reporter’s inquiry.”[101][107]

In April 2014, Equifax was sued in New York federal court by God Gazarov, who claimed the company erroneously reports him as having no credit history because of his unusual first name.[109]

On November 4, 2015, it was reported that a group of five Oklahomans had sued the company, claiming that Equifax “violated laws which require financial institutions to protect the security of their customers’ personal information.”[110] Equifax selected the law firm DLA Piper to work on the case in D.C. It had turned to Edelman for earlier crisis control after the October 2017 privacy breach.[111]

Consumer lawsuits claiming damages under the FCRA have been successful in small claims court.[112]